ARTICLE
13 November 2024

Ankura CTIX FLASH Update - November 8, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Researchers have identified a new malicious malware bundle developed for Windows machines that drops both infostealing and cryptomining malware on victim devices.
United States Technology

SteelFox Infostealer and CryptoMiner Delivered via Cracked Software

Researchers have identified a new malicious malware bundle developed for Windows machines that drops both infostealing and cryptomining malware on victim devices. Active since at least February 2023 but just recently discovered, SteelFox is a malware dropper that uses a "bring your own vulnerable driver" technique to establish SYSTEM privileges on the victim Windows machine. SteelFox is delivered via cracked software such as Foxit PDF Editor, JetBrains, and AutoCAD. The software download does indeed contain the cracked version of the software, but it also includes the SteelFox malware. The admin access required to install the software is abused to create a service that runs a version of WinRing0.sys with two known vulnerabilities that are exploited to give the attacker NT\SYSTEM privileges. This driver is also a component of XMRig miner which is used by the attacker for cryptojacking, connecting to a mining pool with hardcoded credentials. The SteelFox malware uses SSL pinning and TLS v1.3 to establish a command-and-control connection. SteelFox is capable of harvesting and exfiltrating data from a wide variety of web browsers to access stored information such as cookies, credit cards, location, and search history. To date, researchers have identified compromised systems primarily in countries including Brazil, China, Russia, and Mexico. CTIX analysts advise organizations and individuals to refrain from downloading software through illegitimate channels. CTIX analysis will continue to report on new and emerging forms of malware and associated campaigns.

Threat Actor Activity

Suspect Behind Snowflake Hack Arrested in Canada

Canadian authorities have arrested Alexander "Connor" Moucka, a suspect linked to a series of major data breaches involving the cloud storage company Snowflake. Known by aliases such as "Waifu" and "Judische," Moucka was apprehended on October 30, 2024, following a request from the United States. The arrest is tied to allegations of Moucka's involvement in hacking over one hundred sixty-five (165) organizations, including significant corporations like AT&T, Ticketmaster, and Neiman Marcus, by exploiting stolen customer credentials. These breaches, which began in April 2024, have compromised the data of hundreds of millions, including the call logs of over a hundred million AT&T customers and personal information of five hundred sixty million Ticketmaster users. The joint investigation by Snowflake, Mandiant, and CrowdStrike revealed that the breaches were facilitated by the lack of multi-factor authentication (MFA) on affected Snowflake accounts. In response, Snowflake has since mandated MFA for new accounts and required stronger password protocols. The hacker group behind these attacks, identified as UNC5537, is believed to be financially motivated, with members based in North America and an affiliate in Turkey. This group reportedly used infostealer malware to obtain initial access and targeted companies by threatening to sell stolen data unless ransoms were paid. In one instance, AT&T allegedly paid $370,000 to prevent the sale of its compromised data. Moucka's arrest is part of a broader effort to address cybercrime linked to a network known as the Com, which is involved in both digital and physical crimes. He is also suspected of collaborating with another hacker, John Erin Binns, who was detained in Turkey earlier in 2024 for his involvement in a previous breach of T-Mobile.

Vulnerabilities

Cisco Patches Critical URWB Vulnerability in Unified Industrial Wireless Systems

Cisco has addressed a critical vulnerability in its Unified Industrial Wireless Software, which allows unauthenticated, remote attackers to execute commands with root privileges on Ultra-Reliable Wireless Backhaul (URWB) access points. This flaw, tracked as CVE-2024-20418 (CVSS score of 10/10), caused by improper input validation in the software's web-based management interface, enables low-complexity command injection attacks. Affected devices include Catalyst IW9165D, IW9165E, and IW9167E models when operating in URWB mode. Discovered during internal security testing, the vulnerability has been patched in software version 17.15.1, with Cisco urging users to update from earlier versions. While no active exploitation or public exploit code has been reported, Cisco emphasizes the importance of prompt patching to mitigate potential risks. This fix follows recent efforts to address similar command injection vulnerabilities exploited in large-scale attacks, highlighting the ongoing need for robust security practices in industrial networks. CTIX analysts strongly urge any affected users to download and install the latest security patch immediately to prevent exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More